CISA EXAM 2 – Questions With Reliable Solutions
Save
Terms in this set (150)
Q1) Which of the following is the B) Perform an end-to-end walk-through of the
MOST efficient and sufficiently reliable process is correct. Observation is the best and most
way to test the design effectiveness of effective method to test changes to ensure that the
a change control process? process is effectively designed.
A) Interview personnel in charge of D) Test a sample population of change requests is
the change control process incorrect. Testing a sample population of changes is
a test of compliance and operating effectiveness to
B) Perform an end-to-end walk- ensure that users submitted the proper
through of the process documentation/requests. It does not test the
effectiveness of the design.
C) Test a sample of authorized
changes C) Test a sample of authorized changes is incorrect.
Testing changes that have been authorized may not
D) Test a sample population of change provide sufficient assurance of the entire process
requests because it does not test the elements of the process
related to authorization or detect changes that
bypassed the controls.
A) Interview personnel in charge of the change
control process is incorrect. This is not as effective as
a walk-through of the change controls process
because people may know the process but not
follow it.
,Q2) An organization provides C) The firewall is placed on top of the commercial
information to its supply chain operating system with all default installation options
partners and customers through an is correct. The greatest concern when implementing
extranet infrastructure. Which of the firewalls on top of commercial operating systems is
following should be the GREATEST the potential presence of vulnerabilities that could
concern to an IS auditor reviewing the undermine the security posture of the firewall
firewall security architecture? platform itself. In most circumstances, when
commercial firewalls are breached, that breach is
A) Inbound traffic is blocked unless facilitated by vulnerabilities in the underlying
the traffic type and connections have operating system. Keeping all installation options
been specifically permitted. available on the system further increases the risk of
vulnerabilities and exploits.
B) A Secure Sockets Layer has been
implemented for user authentication B) A Secure Sockets Layer has been implemented for
and remote administration of the user authentication and remote administration of the
firewall. firewall is incorrect. Using Secure Sockets Layer for
firewall administration is important because changes
C) The firewall is placed on top of the in user and supply chain partners' roles and profiles
commercial operating system with all will be dynamic.
default instillation options.
D) Firewall policies are updated on the basis of
D) Firewall policies are updated on changing requirements is incorrect. It is appropriate
the basis of changing requirements to maintain the firewall policies as needed.
A) Inbound traffic is blocked unless the traffic type
and connections have been specifically permitted is
incorrect. It is prudent to block all inbound traffic to
an extranet unless permitted.
,Q3) Which of the following choices C) Senior management identify key business
would be the BEST source of processes is correct. Developing a risk-based audit
information when developing a risk- plan must start with the identification of key business
based audit plan? processes, which determine and identify the risk that
needs to be addressed.
A) System custodians identify
vulnerabilities. B) Process owners identify key controls is incorrect.
Although process owners should be consulted to
B)Process owners identify key identify key controls, senior management is a better
controls. source to identify business processes, which are
more important. System custodians identify
C) Senior management identify key vulnerabilities is incorrect.
business processes.
A) System custodians are a good source to better
D) Peer auditors understand previous understand the risk and controls as they apply to
audit results. specific applications; however, senior management is
a better source to identify business processes, which
are more important.
D) Peer auditors understand previous audit results is
incorrect. The review of previous audit results is one
input into the audit planning process; however, if
previous audits focused on a limited or a restricted
scope or if the key business processes have changed
and/or new business processes have been
introduced, then this does contribute to the
development of a risk-based audit plan.
, Q4) Which of the following inputs D) The IT project portfolio analysis is correct.
adds the MOST value to the strategic Portfolio analysis provides the best input into the
IT initiative decision-making process? decision-making process relating to planning
strategic IT initiatives. An analysis of the IT portfolio
A)The maturity of the project provides comparable information of planned
management process initiatives, projects and ongoing IT services, which
allows the IT strategy to be aligned with the business
B) The regulatory environment strategy.
C) Past audit findings A) The maturity of the project management process
is incorrect. The maturity of the project management
D) The IT project portfolio analysis process is more important with respect to managing
the day-to-day operations of IT versus performing
strategic planning.
B) The regulatory environment is incorrect.
Regulatory requirements may drive investment in
certain technologies and initiatives; however, having
to meet regulatory requirements is not typically the
main focus of the IT and business strategy.
C) Past audit findings is incorrect. Past audit findings
may drive investment in certain technologies and
initiatives; however, having to remediate past audit
findings is not the main focus of the IT and business
strategy.
Save
Terms in this set (150)
Q1) Which of the following is the B) Perform an end-to-end walk-through of the
MOST efficient and sufficiently reliable process is correct. Observation is the best and most
way to test the design effectiveness of effective method to test changes to ensure that the
a change control process? process is effectively designed.
A) Interview personnel in charge of D) Test a sample population of change requests is
the change control process incorrect. Testing a sample population of changes is
a test of compliance and operating effectiveness to
B) Perform an end-to-end walk- ensure that users submitted the proper
through of the process documentation/requests. It does not test the
effectiveness of the design.
C) Test a sample of authorized
changes C) Test a sample of authorized changes is incorrect.
Testing changes that have been authorized may not
D) Test a sample population of change provide sufficient assurance of the entire process
requests because it does not test the elements of the process
related to authorization or detect changes that
bypassed the controls.
A) Interview personnel in charge of the change
control process is incorrect. This is not as effective as
a walk-through of the change controls process
because people may know the process but not
follow it.
,Q2) An organization provides C) The firewall is placed on top of the commercial
information to its supply chain operating system with all default installation options
partners and customers through an is correct. The greatest concern when implementing
extranet infrastructure. Which of the firewalls on top of commercial operating systems is
following should be the GREATEST the potential presence of vulnerabilities that could
concern to an IS auditor reviewing the undermine the security posture of the firewall
firewall security architecture? platform itself. In most circumstances, when
commercial firewalls are breached, that breach is
A) Inbound traffic is blocked unless facilitated by vulnerabilities in the underlying
the traffic type and connections have operating system. Keeping all installation options
been specifically permitted. available on the system further increases the risk of
vulnerabilities and exploits.
B) A Secure Sockets Layer has been
implemented for user authentication B) A Secure Sockets Layer has been implemented for
and remote administration of the user authentication and remote administration of the
firewall. firewall is incorrect. Using Secure Sockets Layer for
firewall administration is important because changes
C) The firewall is placed on top of the in user and supply chain partners' roles and profiles
commercial operating system with all will be dynamic.
default instillation options.
D) Firewall policies are updated on the basis of
D) Firewall policies are updated on changing requirements is incorrect. It is appropriate
the basis of changing requirements to maintain the firewall policies as needed.
A) Inbound traffic is blocked unless the traffic type
and connections have been specifically permitted is
incorrect. It is prudent to block all inbound traffic to
an extranet unless permitted.
,Q3) Which of the following choices C) Senior management identify key business
would be the BEST source of processes is correct. Developing a risk-based audit
information when developing a risk- plan must start with the identification of key business
based audit plan? processes, which determine and identify the risk that
needs to be addressed.
A) System custodians identify
vulnerabilities. B) Process owners identify key controls is incorrect.
Although process owners should be consulted to
B)Process owners identify key identify key controls, senior management is a better
controls. source to identify business processes, which are
more important. System custodians identify
C) Senior management identify key vulnerabilities is incorrect.
business processes.
A) System custodians are a good source to better
D) Peer auditors understand previous understand the risk and controls as they apply to
audit results. specific applications; however, senior management is
a better source to identify business processes, which
are more important.
D) Peer auditors understand previous audit results is
incorrect. The review of previous audit results is one
input into the audit planning process; however, if
previous audits focused on a limited or a restricted
scope or if the key business processes have changed
and/or new business processes have been
introduced, then this does contribute to the
development of a risk-based audit plan.
, Q4) Which of the following inputs D) The IT project portfolio analysis is correct.
adds the MOST value to the strategic Portfolio analysis provides the best input into the
IT initiative decision-making process? decision-making process relating to planning
strategic IT initiatives. An analysis of the IT portfolio
A)The maturity of the project provides comparable information of planned
management process initiatives, projects and ongoing IT services, which
allows the IT strategy to be aligned with the business
B) The regulatory environment strategy.
C) Past audit findings A) The maturity of the project management process
is incorrect. The maturity of the project management
D) The IT project portfolio analysis process is more important with respect to managing
the day-to-day operations of IT versus performing
strategic planning.
B) The regulatory environment is incorrect.
Regulatory requirements may drive investment in
certain technologies and initiatives; however, having
to meet regulatory requirements is not typically the
main focus of the IT and business strategy.
C) Past audit findings is incorrect. Past audit findings
may drive investment in certain technologies and
initiatives; however, having to remediate past audit
findings is not the main focus of the IT and business
strategy.
